Watch Out Wednesday – February 28, 2024

Plugin: Maintenance Page

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Directory Traversal to Local File Inclusion
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Cross-Site Request Fogery via extend_builder
Patched Version: 1.0.260
Recommended Action: Update to version 1.0.260, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Dual Button Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Admin side data storage for Contact Form 7

Vulnerability: Missing Authorization to Unauthenticated Read Status Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode
Patched Version: 4.15.1
Recommended Action: Update to version 4.15.1, or a newer patched version

Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Maintenance Page

Vulnerability: Security Mechanism Bypass via REST API
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Relevanssi – A Better Search

Vulnerability: Missing Authorization to Unauthenticated Query Log Export
Patched Version: 4.22.1
Recommended Action: Update to version 4.22.1, or a newer patched version

Plugin: Admin side data storage for Contact Form 7

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Thumbnail Slider Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Cross-Site Request Fogery via cp_shortcode_refresh
Patched Version: 1.0.260
Recommended Action: Update to version 1.0.260, or a newer patched version

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Event Tickets and Registration

Vulnerability: Missing Authorization
Patched Version: 5.8.2
Recommended Action: Update to version 5.8.2, or a newer patched version

Plugin: Academy LMS – eLearning and online course solution for WordPress

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.9.20
Recommended Action: Update to version 1.9.20, or a newer patched version

Plugin: Admin side data storage for Contact Form 7

Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Admin side data storage for Contact Form 7

Vulnerability: Missing Authorization to Unauthenticated Bookmark Status Alteration
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version